After much research and discussion, the New York State Department of Financial Services (DFS) has released the near final version of its Cybersecurity Requirements for Financial Services Companies. The DFS Cybersecurity Regulation is breathtaking in its scope and will soon become a major factor in how financial entities, including banks, financial services firms, and insurance carriers secure their operations.
Properly implementing the DFS Cybersecurity Regulation will be no small feat. The regulation requires the implementation of a variety of cybersecurity policies and procedures, ranging from the well-known to the relatively unique. Posing an even greater challenge for entities covered by the regulation is the fact that they must start imposing virtually the same strict cybersecurity controls on third parties with which they do business. It will also require directors and officers of entities falling under its purview to certify annually that they have a compliant program in place. Thus it is easy to anticipate that these newly created or modified cybersecurity programs will be the subject of much scrutiny.
This alert identifies key elements of the DFS Cybersecurity Regulation, which third parties and vendors will be impacted by the Regulation, questions left unanswered by the regulation as currently drafted, and steps covered entities can take to become compliant with the Regulation while also managing potential civil liability.
Overview of the DFS Cybersecurity Regulation
DFS has released one of the most comprehensive and ambitious cybersecurity regulations yet seen. Beginning in 2017, entities covered by the regulation will be required to develop and implement a broad suite of cybersecurity programs and policies, training regimes, risk analyses and vulnerability assessments, incident response capabilities, and other controls. Moreover the regulation requires that the policies, procedures, and various testing programs and assessments be regularly repeated and refreshed. All in all, the regulation represents a significant (and likely costly) set of new requirements for the nearly 2000 covered entities that must comply with it.
The regulation defines covered entities as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law, or the financial services law.” Note that entities are exempted if they have had less than 1,000 customers on average over the past three years, less than $5 million in gross annual revenue in each of the last three fiscal years, and less than $10 million in year-end total assets.
The required elements of the regulation include:
- Designing and implementing a written cybersecurity plan to protect information systems and non-public information (which covers any business-related information, information provided to a covered entity, health care information, and “personally identifiable information”). Some of the more unique cybersecurity plan components include:
- capacity and performance planning;
- systems operations and availability concerns;
- systems and network security and monitoring;
- systems and application development and quality assurance;
- physical security and environmental controls; and
- vendor and third-party service provider management.
- The overall cybersecurity program shall be reviewed at least annually by the covered entity’s board of directors (or its equivalent governing body,) and approved by a senior officer of the covered entity.
- Creation and implementation of an incident response plan.
- A chief information security officer (CISO) must be appointed and report at least biannually on the state of the entity’s cybersecurity to the board of directors or its equivalent.
- Covered entities must either employ cybersecurity personnel or “utilize a qualified third party to assist in complying with the requirements.”
- Annual penetration testing and risk assessments must be completed, along with quarterly vulnerability assessments and regular training.
- Cybersecurity audit records must be maintained and kept for at least six years.
- The cybersecurity program must implement security measures for its applications or apps.